Free software activities in October 2020

Here is my monthly update covering what I have been doing in the free software world during October 2020 (previous month):

• Opened a pull request for libIIO, a cross-platform library for interfacing with local and remote Linux Industrial I/O subsystem devices to make the build reproducible. [...]

• As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet as well as the usual internal discussions, etc., including continuing 'onboarding' of a new project to SPI.

• ora2pg is a tool used to migrate an Oracle database to PostgreSQL. This month, I submitted a patch to make it build reproducibly. [...]

• Addressed an issue filed by Bob Tanner by updating the documentation of my django-slack library which provides a convenient wrapper between projects using the Django and the Slack chat platform. [...]

• Opened a pull request against libsass-python (a straightforward binding of libsass for Python, to compile the Sass CSS extensions in Python without the conventional Ruby stack) in order to make the build reproducible. [...]

For Lintian, the static analysis tool for Debian packages, I uploaded versions 2.97.0, 2.98.0, 2.99.0 & 2.100.0 as well as updated the declares-possibly-conflicting-debhelper-compat-versions tag as we may specify the Debhelper compatibility level in debian/rules or debian/control (#972464) and dropped a reference to missing manual page [...].

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Filed upstream pull requests against ora2pg, libsass-python & libiio.

• Wrote and published a supporter spotlight interview for the Civil Infrastructure Platform project. [...]

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • Submitted the following patches to fix reproducibility-related toolchain issues within Debian:

    • perl: Please make the build mostly reproducible. (#972559)

    • fckit: Please make the build (mostly) reproducible. (#972378)

    • libgrokj2k: Please make the documentation reproducible. (#972494)

    • netcdf-parallel: Please make the settings file reproducible. (#972930)

    • dh-fortran-mod: Please make the output reproducible version graph. (#965255)

  • Filed a bug against the emacs package to make the generated .el files reproducible, a regression that is causing many packages to become unreproducible. (#972861)

  • Helped draft a mailing list post to update dpkg-buildflags to enable reproducible=+fixfilepath by default.

  • I also submitted 10 patches to fix specific reproducibility issues in gmerlin-avdecoder, libsass-python, node-proxy, ora2pg, pcbasic, pitivi, ruby-appraiser, softether-vpn, sound-juicer & yard.

• Categorised a large number of packages and issues in the Reproducible Builds 'notes' repository.

• Drafted, published and publicised our monthly report.

I also updated the main Reproducible Builds website and documentation:

• Wrote and published two announcement blog posts regarding the restarting of our IRC meetings. [...][...]
• Added a citation link to the academic article regarding dettrace [...], and added yet another supply-chain security attack publication [...].
• Reformat Jekyll's Liquid templating language and CSS formatting to be consistent [...] as well as expand a number of tab characters [...].
• Use relative_url to fix missing translation icon on various pages. [...]
• Add an explicit note regarding the lack of an in-person summit in 2020 to our events page. [...]

Lastly, I made the following changes to diffoscope, including preparing and uploading version 161 to Debian:

• Reviewed and merged functionality from Jean-Romain Garnier to add support for radare, a decompiler/reverse-engineering framework [...] and update debian/tests/control to match [...].
• Move test_ocaml to the assert_diff helper. [...]
• Update tests to support OCaml version 4.11.1. Thanks to Sebastian Ramacher for the report. (#972518)
• Bump minimum version of the Black source code formatter to 20.8b1. (#972518)

trydiffoscope is the web-based version of diffoscope. This month, I made the following changes:

• Mark --help-only test as being a 'superficial' test. (#971506)
• Add a test that interacts with the try.diffoscope.org service. [...]
• Bump debhelper compatibility level to 13 [...] and bump Standards-Version to 4.5.0 [...].

Debian

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged junit4 (CVE-2020-15250), libass (CVE-2020-26682), php5, ros-ros-comm (CVE-2020-16124), sympa & zabbix.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 2406-1 for jackson-databind, a Java library for processing JSON, to address an external entity expansion vulnerability.

• Issued DLA 2407-1 for tomcat8, the Java application server. This was to fix an issue where an excessive number of concurrent streams could have resulted in users seeing responses for unexpected resources.

• Issued DLA 2410-1 and ELA 301-1 for the BlueZ suite of Bluetooth tools, utilities and daemons to prevent a double-free vulnerability.

You can find out more about the project via the following video:

Uploads

• python-django (3.1.2-1) — New upstream bugfix release.

• redis:

  • 6.0.8-2 — Apply a patch from Yossi Gottlieb to fix a crash when reporting RDB/AOF file errors. (#972683)
  • 6.0.9-1 — New upstream release.

• memcached (1.6.8+dfsg-1) — New upstream release)

• mtools (4.0.25-1) — New upstream release, where parsing configuration file now works correctly with Turkish locale. (#972387)

• bfs (2.0-1) — New upstream release.

• black (20.8b1-2) — Non-maintainer upload to correct version handling to avoid a ModuleNotFoundError error which was affecting a number of related packages. (#970901)

Bugs filed

• lintian: Please detect sed -e 's@$(CURDIR)@...@' in debian/rules. (#972629)

• mdtraj: Manual pages appear to contain error messages instead of actual examples. (#972635)

• gita: Missing build-depends on python3-yaml. (#972493)

• git-buildpackage: Correct 'option' typo in manual page. (#972081)

You can subscribe to new posts via email or RSS.